Safety requirements for automotive electronics are being standardized in a number of application segments. An example of application segments includes chassis applications, which United States government legislation requires to be standardized for each new vehicle from 2012. A further example is electric power steering.
Automotive braking applications and steering applications also both require sophisticated electronic solutions that allow switching to a safe state in case a malfunction is detected. Accordingly, awareness of safety issues, for example by a system-on-chip (SoC), is of increasing importance in today's vehicular applications, although the usage of such devices is not limited to such applications. However, the safety level required differs from application to application. For example, some applications may require Safety Integrity Level (SIL) 3, whilst other applications may require SIL 2. Safety Integrity Levels are defined as a relative level of risk-reduction provided by a safety function, or as a specific target level for risk reduction. Four SIL levels are defined by the International Standard IEC 61508, ranging from SIL 4, being the most dependable, to SIL 1, being the least dependable.
Different levels of safety may require varying amounts of redundancy of building blocks and connectivity within the SoC. As a result of this, known SoCs are designed with a specific SIL in mind. However, the need to develop multiple SoC architectures to support multiple SILs makes the development of safety aware devices complex and costly.
One particular area of importance for such SoCs is the Random Access Memory (RAM) provided on the SoC, which is a major contributor for possible failure conditions within the performance of the SoC. Since redundancy of a building block such as RAM within SoCs is typically tightly coupled to the architecture of the SoC and the application intended to run thereon, this is an issue for creating a family of safety aware devices.
A significant factor in safety-related applications is to obtain a timely detection of system failures in order to avoid erroneous behaviour. In order to address such problems, it is important to identify a cause of such faults. However, it is known that in many cases the identification of a system failure requires switching to a safe state (usually a restart or shutdown of the faulty system). It is also known that the switch to a safe state results in a reduced availability of the system, which is undesirable. In this context, the expression ‘availability of the system’ may be considered as the degree to which a system is operable and in a committable state, when called for at an unknown time. Alternatively, system availability may be considered as the proportion of time that a system is in a fully-functioning condition (as defined in wikipedia.org).
As such, a system that provides increased safety or failure detection will usually provide decreased availability, when there are no further means to keep the system operable, even in cases when a fault has been detected. A common means to achieve increased safety or failure detection is to implement redundant sub-systems having a voting mechanism; where three or more elements are running in parallel. In case of a failure of an element in such a sub-system, a voting mechanism may be used to identify the faulty element and select a correct value from one of the other elements. However, it will be appreciated that replicating any sub-system three or more times is very expensive and is rarely used and only when it can be justified. As such, less costly implementations that are able to provide similar system availability are desirable.
EP1054326B1 discloses a memory error detection and correction mechanism that utilises sliced memory to store data and an X-ORed checksum for this data in an additional slice; an error correction code is used for every slice, while the X-ORed checksum is used to detect and correct errors in case of a defective slice.